Merged revisions 65182 via svnmerge from

svn+ssh://pythondev@svn.python.org/python/trunk ........ r65182 | gregory.p.smith | 2008-07-22 06:46:32 +0200 (Tue, 22 Jul 2008) | 7 lines Issue #2620: Overflow checking when allocating or reallocating memory was not always being done properly in some python types and extension modules. PyMem_MALLOC, PyMem_REALLOC, PyMem_NEW and PyMem_RESIZE have all been updated to perform better checks and places in the code that would previously leak memory on the error path when such an allocation failed have been fixed. ........
2025-12-04 00:30:19 +00:00 · 2008-07-23 16:13:07 +00:00 · 2008-07-23 16:13:07 +00:00 · d492ad80c8
commit d492ad80c8
parent c1c54c1b04
5 changed files with 50 additions and 14 deletions
--- a/Objects/obmalloc.c
+++ b/Objects/obmalloc.c
@ -726,6 +726,15 @@ PyObject_Malloc(size_t nbytes)
 	poolp next;
 	uint size;

+	/*
+	 * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+	 * Most python internals blindly use a signed Py_ssize_t to track
+	 * things without checking for overflows or negatives.
+	 * As size_t is unsigned, checking for nbytes < 0 is not required.
+	 */
+	if (nbytes > PY_SSIZE_T_MAX)
+		return NULL;
+
 	/*
 	 * This implicitly redirects malloc(0).
 	 */
@ -1130,6 +1139,15 @@ PyObject_Realloc(void *p, size_t nbytes)
 	if (p == NULL)
 		return PyObject_Malloc(nbytes);

+	/*
+	 * Limit ourselves to PY_SSIZE_T_MAX bytes to prevent security holes.
+	 * Most python internals blindly use a signed Py_ssize_t to track
+	 * things without checking for overflows or negatives.
+	 * As size_t is unsigned, checking for nbytes < 0 is not required.
+	 */
+	if (nbytes > PY_SSIZE_T_MAX)
+		return NULL;
+
 	pool = POOL_ADDR(p);
 	if (Py_ADDRESS_IN_RANGE(p, pool)) {
 		/* We're in charge of this block */